Sunday, April 17, 2016

EMV in the United States: Chip and Confusion

A little over a year ago, I wrote a post detailing the upcoming transition to EMV chip cards in the United States. Well now, six months after the October 1, 2015, liability shift that the media latched on to as "the day the US would start using EMV" (even though there were places where it could be used for at least a year prior), I've come to a conclusion on the current state of affairs. While many countries have "Chip and PIN", and a handful of other countries have "Chip and Signature", in the United States, we have "Chip and Confusion".

Before I get to far into this (seeing as my previous post worked out to be twelve pages long), I'll give my advice to ease the confusion up front: Don't overthink it. Whether you're a customer or a cashier, just do what the little screen says. If the screen says "insert", insert. If it doesn't, swipe. If it asks for a PIN, enter it. The other bit of advice I can give is that this confusion should be temporary. I've seen comments by people in other countries like Canada that already went through the transition to chip cards, and they indicate that there was confusion at first, but within a year or so people got used to dipping cards instead of swiping them.

I also made a flow chart of how the card payment process is currently working in the US. Without a chip card, things are fairly straight forward with not to many complications. But now, with the introduction of chip cards, sporadic merchant acceptance, and complications from debit cards, things are a lot more complicated.

So the biggest point of confusion for customers seems to be what they're supposed to do with the chip cards. Either they never use the chip, or they're never sure if they're supposed to use the chip or swipe, and seem to always do the wrong thing first. The crux of this problem is that while many places have chip readers, they don't all have the chip reader enabled. There are a variety of reasons for this, but for retailers with customer-facing terminals, it generally boils down to the software part isn't ready yet. Most of these retailers have point of sale systems that integrate payment handling with the rest of their systems, and so those systems need to be upgraded to support EMV transactions. Not only do the software changes have to be made, they also have to be certified, and there are backlogs in getting that completed.

I think most of that confusion can be avoided just by paying attention to the screen. With only a couple of exceptions that I've run into, if the screen says "insert", then the chip reader is enabled and I insert the card and the transaction is completed. If it doesn't, then I swipe. The more problematic case when this didn't work for me was at Vons, the brand used by Safeway in Southern California. There, I've run into terminals that say "swipe or insert", even though they don't have EMV enabled, and in one case I saw that prompt on a terminal that didn't have a card reader at all. What made this frustrating is that when I did insert, nothing happened. At another place where the terminal prompted to insert even though the chip reader didn't work, I got an error and was prompted to swipe, which is a more reasonable behavior since it at least instructs the customer what to do.

The other option would be to swipe first, then insert if prompted. This will work since a properly programmed EMV terminal will detect the card has a chip (there's a code included in the magnetic stripe that indicates this) and instruct the customer to insert the chip instead. The problem with doing this is that it exposes the customer to having the magnetic stripe on their card read and copied by a compromised terminal.

The second point of confusion seems to be signature versus PIN. Most US-issued cards are, at least for now, keeping things the same as they were before the arrival of EMV. Credit cards require a signature, while debit cards can either require a signature if run as "credit" or a PIN if run as "debit". The source of confusion seems to be primarily debit cards; I'll get to those in a moment.

Credit cards don't seem too bad; all of the major card issuers are issuing Chip and Signature cards so the customer is asked to sign in the vast majority of cases, just like they did with magnetic stripe credit cards, so there's not much change. Some do support PIN as well, for those places that can't handle a PIN. I haven't heard of any places like that in the US, though the PIN could be asked for at places like train ticket kiosks and self-service gas pumps in Europe. Barclaycard US does a good job of describing this on their web site:

In most cases, you’ll then be prompted to sign for your transaction. But at self-service terminals like ticket kiosks and some gas pumps, you may need to enter your 4-digit PIN.

A handful of US banks are issuing Chip and PIN cards, meaning that the card is configured to prefer PIN over signature. Ones I know of include Target's REDcard, Santander Bank, First Niagara Bank, United Nations Federal Credit Union, and First Tech Federal Credit Union. While I don't have any first-hand experience with them, their websites do emphasize that the customer should expect to be prompted for their PIN in most cases, such as this example from First Niagara:

First Niagara is committed to preventing fraud and fraud losses by requiring a PIN on most credit and debit card transactions performed in person. While some financial institutions are not requiring a PIN, we have taken this additional step to ensure our customer's card information is as secure as possible. If a PIN is not requested, you may be asked to sign a receipt, as you do today.

It seems like the biggest point of confusion, or at least complication, related to this in the US comes from merchants not expecting Chip and PIN credit cards. I've heard reports of cashiers canceling the transaction when prompted for a PIN; presumably these merchants normally just process debit cards as "credit" so they aren't used to seeing a PIN prompt, and think "that's not right, we don't do debit". Chalk that up to poor training, since the right way to do this is to ask the customer to enter their PIN. The bigger problem is restaurants. As long as they continue with the model of the server taking the card away from the table to process the card in "the back", Chip and PIN cards will be quite a hassle since the customer will need to follow the server to enter their PIN. The right way to do this is to shift to "pay at the table" where the cashier brings a handheld portable credit card terminal to the table to allow the customer to pay, or use a tabletop kiosk. This has the additional advantages of removing the opportunity to have the card details copied while the card is out of the customer's sight, as well as the opportunity to fraudulently increase the amount of the tip after the customer has left the restaurant. Alternatively, restaurants could shift to the model of having customers pay at a cashier's station by the restaurant's exit, though I don't think many places will make this change as it tends to be associated more with lower-end, diner-type restaurants like Denny's.

One thing to keep in mind about the problem with Chip and PIN cards for merchants that aren't expecting them is that it's not limited to the handful of smaller banks issuing them. Visitors from many other countries will be using Chip and PIN cards. Before this wasn't an issue since when a Chip and PIN card was swiped in the US, it was treated just like an American card and the customer would be asked to sign. But as American merchants begin dipping these cards in the chip reader, the customer will be prompted to enter a PIN just as they would in their home country.

But the big problem is debit cards. US law requires that debit cards offer merchants the choice of routing transactions over at least two different unaffiliated networks. In practice, this commonly ended up giving the customer a choice of having their card processed as "credit" (signature) or "debit" (PIN), though there were exceptions. Restaurants typically would process only as credit to avoid the hassle of dealing with getting the customer's PIN, and some stores such as WinCo, Costco, and ARCO chose to keep costs down by accepting only (or primarily) debit cards.

Not only is this routing requirement unique to the US, it's compounded by the lack of a single national dominant debit processing network like Interac in Canada or EFTPOS in Australia and New Zealand. So it took a while for the industry to agree on a standard on how to get this to work with EMV, and as a result many of the first stores to implement EMV could only process EMV debit cards as "credit". This resulted in customers thinking their new EMV chip debit cards were less secure than their old magnetic-stripe only cards, since instead of being asked for a PIN, they were instead being asked to sign, or even do nothing at all since many retailers aren't required to collect a signature for small purchases. But now that retailers have EMV debit working, things have swung the other way. Some merchants, notably Kroger, have taken advantage of the switch to EMV and have taken away the "credit" or "debit" choice from customers using debit cards. While credit cards will be processed as they always have, debit cards at these merchants are now processed only as "debit" and a PIN is required. This is causing problems for a whole other set of customers who are used to selecting "credit" and signing with their debit cards, and either don't know or don't want to have to enter their PIN.

I don't want to dwell too much on yet another area of confusion, and that is knowing how to use card in the chip reader. Customers have gotten used to ATMs and self service machines where they insert the card into a reader, not unlike a chip reader, but instead of leaving it in the reader, they insert and remove it quickly in one motion. So the first time a customer attempts to use a chip reader, they may attempt the same thing, inserting and removing the card right away. However, the card needs to be left in the reader in order for the chip to do its thing, so this insert and remove motion doesn't work. Similarly, customers may not push the card all the way into the reader, even though they do leave it in. Fortunately, it seems like this is more of a problem of simply getting used to doing something different. I can imagine similar things happened (swiping too fast or too slow, or swiping the card such that the magnetic stripe doesn't even come in contact with the reader) when customers began swiping their own cards, rather than the cashier doing it.

So what do we have? Customers who don't know whether to dip or swipe. Cashiers who have never heard of credit card PINs. Customers not having the expected choice of "credit" or "debit" for debit cards. And very few people who even seem to know why these chip cards exist in the first place.